Security Basics mailing list archives

RE: password protection in office XP documents

From: "Larry Seltzer" <larry () larryseltzer com>
Date: Sat, 14 Jun 2003 07:23:27 -0400

How would you think it possible to password-protect an HTML document? If it were
effective no browser could access it. Sounds like it's a bug that they offer it, but I'm
not sure it's a security issue.

Password protection works much better on the other, binary formats, although better for
some than others. The standard encryption for the older Office formats has been cracked
by dozens of programs (see http://lostpassword.com/ for example). Recent versions of
Office have many encryption options that aren't quite as easily cracked; the attacks use
dictionaries and brute force, so a strong password can make it impractical to attack.

Larry Seltzer
Editor
Ziff Davis Security SuperSite
http://security.ziffdavis.com/
larryseltzer () ziffdavis com 

-----Original Message-----
From: security () rexwire com [mailto:security () rexwire com] 
Sent: Friday, June 13, 2003 12:24 PM
To: vuln-dev () securityfocus com
Cc: security-basics () securityfocus com
Subject: password protection in office XP documents


Why has Microsoft bothered putting document protection in their application? It takes 5
seconds to by pass it. Save a office document (that has document
protection) as a .html document and than edit the page in a html editor, remove
everything between the  <o:DocumentProperties> </style>. Now open this page in word and
all the protection is gone. No need to know the password.


Microsoft evens documents this in their help file. Should this not be considered a
security violation from a user point of view

SKP

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner
Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed
Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in about an hour,
with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------






---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

password protection in office XP documents security (Jun 13)
- RE: password protection in office XP documents Larry Seltzer (Jun 16)
- Re: password protection in office XP documents Brian Eckman (Jun 16)
  - Re: password protection in office XP documents Leif Gregory (Jun 16)
    - Re: password protection in office XP documents Brian Eckman (Jun 17)
    - Re: password protection in office XP documents Leif Gregory (Jun 17)
    - Re: password protection in office XP documents Brian Eckman (Jun 17)
    - RE: password protection in office XP documents security (Jun 18)
    - Re: password protection in office XP documents Brian Eckman (Jun 18)
    - RE: password protection in office XP documents security (Jun 18)
- <Possible follow-ups>
- Re: password protection in office XP documents John Benstead (Jun 16)
  - RE: password protection in office XP documents matt willson (Jun 16)

(Thread continues...)